[rrg] [ILNP] Firewalls and good practices
RJ Atkinson <rja.lists@gmail.com> Mon, 09 July 2012 15:31 UTC
Return-Path: <rja.lists@gmail.com>
X-Original-To: rrg@ietfa.amsl.com
Delivered-To: rrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7297611E80A2 for <rrg@ietfa.amsl.com>; Mon, 9 Jul 2012 08:31:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.8
X-Spam-Level:
X-Spam-Status: No, score=-2.8 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, SARE_SUB_RAND_LETTRS4=0.799]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q-UJ4WwP18wg for <rrg@ietfa.amsl.com>; Mon, 9 Jul 2012 08:31:41 -0700 (PDT)
Received: from mail-qa0-f47.google.com (mail-qa0-f47.google.com [209.85.216.47]) by ietfa.amsl.com (Postfix) with ESMTP id B4CE011E808C for <rrg@irtf.org>; Mon, 9 Jul 2012 08:31:41 -0700 (PDT)
Received: by qabg1 with SMTP id g1so1682795qab.13 for <rrg@irtf.org>; Mon, 09 Jul 2012 08:32:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:content-transfer-encoding:subject:date:message-id :to:mime-version:x-mailer; bh=XjgejM4zzMNMcgrXxVHTqEmyc9oAI75wPaT/KuacqhQ=; b=hDpbNC14uGikBfTKi75yTi+actLgBzDiyeLXGoQJwd66Ix9fGXjzh/QGHkYp/REqL9 UC5yfZEwiBp3YGUbcIDeWqLyASM6g1OjFjXZ8JsXYHA2NzM6UxiEiDvXapMZapKtQpRn RYI6PypWizxC/04g+MrZ+C3+XMKFBFMkc28lRzLTGxyjZB8im44ZJRuHXWNJ0gLh7sNx M0oqK8KepeZhgvqc/9Yb+7yAvDDePwvhJZKfmwN8EDybb7lD6KZZAzBbvrDn+/yajIf8 ddGj/qi3lXA7GMSfN/zyT3ABSZw8HO3ngcsOYRY4Wy48DLESIV7bbpVyAibvbKIR+kC/ PMnA==
Received: by 10.224.32.205 with SMTP id e13mr57986689qad.69.1341847926436; Mon, 09 Jul 2012 08:32:06 -0700 (PDT)
Received: from [10.30.20.12] (pool-74-110-100-136.nrflva.fios.verizon.net. [74.110.100.136]) by mx.google.com with ESMTPS id cg7sm62012822qab.19.2012.07.09.08.32.04 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 09 Jul 2012 08:32:05 -0700 (PDT)
From: RJ Atkinson <rja.lists@gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Date: Mon, 09 Jul 2012 11:32:03 -0400
Message-Id: <6A72F33C-98DB-4AD3-99EE-53497A5342C8@gmail.com>
To: IRTF Routing RG <rrg@irtf.org>
Mime-Version: 1.0 (Apple Message framework v1278)
X-Mailer: Apple Mail (2.1278)
Subject: [rrg] [ILNP] Firewalls and good practices
X-BeenThere: rrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IRTF Routing Research Group <rrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/rrg>, <mailto:rrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/rrg>
List-Post: <mailto:rrg@irtf.org>
List-Help: <mailto:rrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/rrg>, <mailto:rrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2012 15:31:42 -0000
Earlier, Stephane Bortzmeyer quoted this text: >> "The use of Identifiers enables firewalls to have access >> control rules that are based on identity, rather than address or >> location. This might permit a corporate IT security manager to give >> the CEO's laptop more privileges than a network-capable ID badge >> reader, for example." In the same note, Stephane Bortzmeyer commented: > This claim is not reproduced in the current set of I-D and rightly so: > because ILNP has no protection of the Identifier (such as ORCHID), > it is easy to lie about your Identifier. It is straight-forward to authenticate the Identifier/packet binding. 1) ILNP does support use of cryptographically-generated identifiers using the same mechanisms as have been specified for IPv6 Cryptographically-Generated Addresses (CGAs). For example, the mechanism in RFC-3972 can be used with ILNPv6. If one has a SEND implementation deployed, it also should be possible to use this with ILNPv6 as ND is not changed by ILNPv6. 2) Separately, the current set of I-Ds clearly specify how IPsec can be used with ILNP and also specify how ILNP IPsec differs from classic IPsec. In turn, ILNP IPsec AH can be used to cryptographically authenticate the binding of a particular Identifier value with a particular ILNP packet. Separate IETF work is underway to enable IPsec-related public key information to be stored in the DNS. Existing IETF standards specify DNS Security. DNSsec implementations are readily available now (e.g. BIND, others). DNSsec deployments in the global Internet appear to be growing rapidly. So it is straight-forward to cryptographically authenticate the Identifier value in a packet in an operational situation where that might be desirable. Situations where a firewall (or other security gateway) would examine a packet and authenticate the identifier(s) present in that packet (whether an IP address or an ILNP Identifier or something else) generally fall into the category of Intermediate Network Authentication -- since the security gateway is not one of the endpoints in the communications session. Some approaches to Intermediate Network Authentication, including the use of AH with an asymmetric digital signature, are covered by US Patent 5,511,122. This patent's existence has been disclosed, more than once, to the IETF, including a disclosure to the IETF IPsec WG mailing list back in 1996. The inventor on that patent has not been involved in any IETF work specifying use of AH with asymmetric digital signatures (e.g. RFC-4359). While I believe the quoted text at very top (i.e, about ILNP enabling identity-based authorisation/access-control) is still correct, it did not seem essential to document that optional capability as part of the current ILNP protocol specifications, while adding that description to the current ILNP protocol documents would have added procedural complexity to the publication process for the ILNP document set (e.g. due to IPR considerations). Yours, Ran
- [rrg] [ILNP] Firewalls and good practices Stephane Bortzmeyer
- [rrg] [ILNP] Firewalls and good practices RJ Atkinson